The CIA’s Unexploded CyberBomb

In early March, Wikileaks pushed a huge trove of government
secrets into the public domain. It was dubbed Vault 7 and,
consisting of more than 8,700 Central Intelligence Agency
documents, was described in news reports as the biggest such
leak in the spy agencys history. If there is a hall of
fame  or of infamy  for unauthorized leaks, then
Vault 7 seems deserving of a place alongside the alleged thefts
attributed to former Army intelligence analyst Chelsea Manning
and exiled National Security Agency contractor Edward Snowden,
to name just two prominent examples of the digital era.

At least as disturbing as the Vault 7 compromise was what it
exposed about tools and techniques for breaking into
smartphones and eavesdropping through televisions and other
devices connected to the Internet of Things. There was also the
question of who did the leaking and whether it was the result
of a nation-state attack.

The CIA issued a statement March 8 that it had
no comment on the authenticity of the documents.

Intelligence and cybersecurity experts for the most part
accepted the documents at face value. Snowden himself tweeted
that the code names and terminology looked legitimate and that
Vault 7 seemed to be genuinely a big deal.

Yet within days Vault 7 had pretty much faded from the news.
Stewart Baker, an attorney with Steptoe & Johnson who
served as NSA general counsel in the 1990s,
wondered during his March 13 cyberlaw podcast why the story
didnt have legs. Although it seemed to be immensely
painful for the CIA, assuming it was the CIAs tools that
were released, the impact on the body politic is starting to
look not very big, Baker commented.

Tom Kellermann wishes it were otherwise. Formerly chief
cybersecurity officer of threat protection company Trend Micro
and now CEO of investment firm Strategic Cyber Ventures,
Kellermann has been sounding the alarm in particularly colorful
terms. Vault 7, he says, represents the greatest robbery
of a government armory since the French Revolution. He
sees it as an action by a foreign power to discredit the
U.S. government and escalate a criminal arms race with
the digital equivalents of grenade launchers and machine guns.
With the exploits and attack platforms unveiled in
the WikiLeaks cache, criminals can become
telepathic, Kellermann warns, adding that
they are now hitting the streets and creating a free-fire
zone in American cyberspace.

Others echo the magnitude of the risks, albeit less
stridently.

At a March 13 Cybersecurity Summit in New York, sponsored by
Nasdaq and the National
Cyber Security Alliance, Michael Viscuso, who has worked as
an offensive hacker for both the CIA and the NSA, said the
Vault 7 revelations get to the heart of everything we
rely on for connectivity. Co-founder and chief technology
officer of information security company Carbon Black, Viscuso was referring
to the potential threat to networking equipment and the
possibility that the core integrity that we rely on
wont be there.

But there have been other sober reactions to Vault 7 that
may have contributed to its receding from public
prominence.

Ilia Kolochenko, founder and CEO of web security firm High-Tech Bridge, says he
was surprised that this particular incident has attracted
so much attention. It isnt news that the CIA
uses and will continue using various hacking tools and
techniques to obtain any information they need to protect the
country, he notes. This is their duty. So far, we
dont have any evidence that these capacities were used
unlawfully to, for example, violate U.S. citizens
privacy.

Although some observers worry that a CIA security
vulnerability was exposed, Kolochenko says the truth may be
more complicated: This can be an insider incident,
against which no large companies or governmental agencies are
protected in any country. It can also be a honeypot  to
distract someones attention from the real arsenal of U.S.
cyberwarfare. I am pretty confident that U.S. intelligence has
much bigger technical resources than the garbage exposed in the
leak.

Kenneth Geers, senior research scientist with Internet
security company Comodo
and senior fellow of the Atlantic Council,
saw nothing shocking and, for the most part, old
information in the release. If anything, it reinforces the
notion that encryption is effective in data protection  a
point also made by University of North Carolina associate
professor Zeynep Tufekci in a New York Times
opinion article describing Vault 7 as part of a
misinformation campaign.

However, nobody disputes another implication of the leaks:
that cyberwarfare is intensifying and that private citizens and
corporations are in the line of fire. James Lee, chief
marketing officer of application security firm Waratek, put it
this way: The release of an entire library of previously
unknown attack vectors means that underresourced and overworked
application (and network) security teams must prepare for the
inevitable  tools intended for government intelligence
being directed at businesses of all sizes.